Network Working Group C. Percival
Internet-Draft Tarsnap
Intended status: Informational S. Josefsson
Expires: March 28, 2013 SJD AB
September 24, 2012
The scrypt Password-Based Key Derivation Functiondraft-josefsson-scrypt-kdf-01
Abstract
This document specifies the password-based key derivation function
scrypt. The function derives one or more secret keys from a secret
string. It is based on memory-hard functions which offer added
protection against attacks using custom hardware. The document also
provides an ASN.1 schema.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 28, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Percival & Josefsson Expires March 28, 2013 [Page 1]

Internet-Draft scrypt September 20121. Introduction
Password-based key derivation functions are used in cryptography for
deriving one or more secret keys from a secret value. Over the
years, several password-based key derivation functions have been
used, including the original DES-based UNIX Crypt-function, FreeBSD
MD5 crypt, PKCS#5 PBKDF2 [RFC2898] (typically used with SHA-1), GNU
SHA-256/512 crypt, Windows NT LAN Manager (NTLM) hash, and the
Blowfish-based bcrypt. These algorithms are based on similar
techniques that employ a cryptographic primitive, salting and/or
iteration. The iteration count is used to slow down the computation.
Providing that the number of iterations used is increased as computer
systems get faster, this allows legitimate users to spend a constant
amount of time on key derivation without losing ground to an
attackers' ever-increasing computing power - as long as attackers are
limited to the same software implementations as legitimate users.
However, as Bernstein pointed out in the context of integer
factorization, while parallelized hardware implementations may not
change the number of operations performed compared to software
implementations, this does not prevent them from dramatically
changing the asymptotic cost, since in many contexts - including the
embarrassingly parallel task of performing a brute-force search for a
passphrase - dollar-seconds are the most appropriate units for
measuring the cost of a computation. As semiconductor technology
develops, circuits do not merely become faster; they also become
smaller, allowing for a larger amount of parallelism at the same
cost. Consequently, existing key derivation algorithms, even when
the iteration count is increased so that the time taken to verify a
password remains constant, the cost of finding a password by using a
brute force attack implemented in hardware drops each year.
The scrypt function aims to reduce the advantage which attackers can
gain by using custom-designed parallel circuits for breaking
password-based key derivation functions.
For further background, see the original scrypt paper [SCRYPT].
The rest of this document is divided into sections that each describe
algorithms needed for the final "scrypt" algorithm.
Percival & Josefsson Expires March 28, 2013 [Page 3]

Internet-Draft scrypt September 20122. The Salsa20/8 Core Function
Salsa20/8 Core is a round-reduced variant of the Salsa20 Core. It is
a hash function from 64-octet strings to 64-octet strings. Note that
Salsa20/8 Core is not a cryptographic hash function since it is not
collision-resistant. See [SALSA20CORE] for the specification.
Percival & Josefsson Expires March 28, 2013 [Page 4]

Internet-Draft scrypt September 201212. Copying Conditions
The authors agree to grant third parties the irrevocable right to
copy, use and distribute this entire document or any portion of it,
with or without modification, in any medium, without royalty,
provided that, unless separate permission is granted, redistributed
modified works do not contain misleading author, version, name of
work, or endorsement information.
Percival & Josefsson Expires March 28, 2013 [Page 15]

Internet-Draft scrypt September 201215. Security Considerations
This document specifies a cryptographic algorithm. The reader must
follow cryptographic research of published attacks. ROMix has been
proven sequential memory-hard under the Random Oracle model for the
hash function. The security of scrypt relies on the assumption that
BlockMix with Salsa20/8 Core does not exhibit any "shortcuts" which
would allow it to be iterated more easily than a random oracle. For
other claims about the security properties see [SCRYPT].
Passwords and other sensitive data, such as intermediate values, may
continue to be stored in memory, core dumps, swap areas, etc, for a
long time after the implementation has processed them. This makes
attacks on the implementation easier. Thus, implementation should
consider storing sensitive data in protected memory areas. How to
achieve this is system dependent.
By nature and depending on parameters, running the scrypt algorithm
may require large amounts of memory. Systems should protect against
a denial of service attack resulting from attackers presenting
unreasonably large parameters.
Percival & Josefsson Expires March 28, 2013 [Page 18]